What is the function of a single asterisk (*) in an ML exclusion pattern?
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/machine-learning
The asterisk is a wildcard character that can be used in exclusion patterns to match any number of
characters. However, it does not match separator characters, such as \ or /, which are used to
separate portions of a file path. For example, the pattern C:\Windows\*\*.exe will match any
executable file in any subfolder of the Windows folder, but not in the Windows folder itself.
Reference:
Falcon Administrator Learning Path | Infographic | CrowdStrike
You have determined that you have numerous Machine Learning detections in your environment
that are false positives. They are caused by a single binary that was custom written by a vendor for
you and that binary is running on many endpoints. What is the best way to prevent these in the
future?
B
Explanation:
to match any number of characters including none while not matching beyond path separators (\ or
/) and double asterisks are used to recursively match zero or more directories that fall under the
current directory.
What is the purpose of a containment policy?
D
Explanation:
In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs
or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy,
not allowing make distinctions between machines.
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
C
Explanation:
An exclusion is a rule that tells the Falcon platform to ignore certain files, folders, processes, or
registry keys when performing prevention or detection actions. An administrator can create an
exclusion and apply it to one or more groups of hosts, or to all hosts in the organization. For example,
an administrator can create an exclusion for a legitimate application that is causing false positives
and apply it to the group of hosts that are running that application.
Reference:
Falcon Administrator Learning Path | Infographic | CrowdStrike
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to
Host" feature to gather additional information which is only available on the host. Which role do you
need added to your user account to have this capability?
A
Explanation:
The Real Time Responder role allows users to use the “Connect to Host” feature to gather additional
information from the host, such as running processes, registry keys, files, etc. The other roles do not
have this capability. Reference:
CrowdStrike Falcon User Guide
, page 18.
What must an admin do to reset a user's password?
B
Explanation:
The administrator can reset a user’s password by selecting “Reset Password” from the three dot
menu for the affected user account in the User Management page. This will generate a new
password and send it to the user’s email address. The other options are either incorrect or not
available. Reference:
CrowdStrike Falcon User Guide
, page 25.
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real
Time Response (RTR). You already have these servers in their own Falcon host group. What is the
next step to disable RTR only on these hosts?
C
Explanation:
The administrator can create a new Response Policy, toggle the “Real Time Response” switch off and
assign the policy to the host group that contains the servers that are not allowed to be accessed
remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts.
Editing the Default Response Policy or adding exceptions will not achieve the desired result.
Reference:
CrowdStrike Falcon User Guide
, page 35.
When creating new IOCs in IOC management, which of the following fields must be configured?
D
Explanation:
When creating new IOCs in IOC management, the administrator must configure the Hash, Platform
and Action fields. The Hash field is the value of the IOC, such as MD5, SHA1 or SHA256. The Platform
field is the operating system that the IOC applies to, such as Windows, Linux or Mac. The Action field
is the action that Falcon will take when detecting the IOC, such as Detect, Block or Allow. The other
fields are either optional or not available. Reference:
CrowdStrike Falcon User Guide
, page 44
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents
locally on compromised hosts, but without the ability to take them off the host. What is the most
appropriate role that can be added to fullfil this requirement?
B
Explanation:
The Real Time Responder - Read Only Analyst only allows to run the commands
"cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do
not have permission to get files so it is the most aproximated profile for the requested capabilities.
One of your development teams is working on code for a new enterprise application but Falcon
continually flags the execution as a detection during testing. All development work is required to be
stored on a file share in a folder called "devcode." What setting can you use to reduce false positives
on this file path?
D
Explanation:
Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host
containtment. The Machine Learning Exclusions are the way to avoid the detections done it by
Machine Learning based on files, so it is possible to exclude the detections for the requested folder
with a GLOB expression.
How do you disable all detections for a host?
D
Explanation:
The administrator can disable all detections for a host by selecting the host and then choosing the
option to Disable Detections in the Host Management page. This will prevent the host from sending
any detection events to the Falcon Cloud. The other options are either incorrect or not available.
Reference: [CrowdStrike Falcon User Guide], page 32.
To enhance your security, you want to detect and block based on a list of domains and IP addresses.
How can you use IOC management to help this objective?
A
Explanation:
IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore,
it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule
types based on Network Connection (configuring a remote IP address) and domains, and gives the
options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block".
Which role is required to manage groups and policies in Falcon?
B
Explanation:
The Falcon Host Administrator role is required to manage groups and policies in Falcon. This role
allows users to create, edit and delete groups and policies, as well as assign them to hosts. The other
roles do not have this capability. Reference: [CrowdStrike Falcon User Guide], page 17.
Which of the following can a Falcon Administrator edit in an existing user's profile?
A
Explanation:
Roles are never called 'working groups' in the documentation. The only other option that can be
edited on a existing user is first and last name.
You want the Falcon Cloud to push out sensor version changes but you also want to manually control
when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best
Sensor version option to achieve these requirements?
A
Explanation:
The administrator can choose a specific sensor version number in the Sensor Update policy to
manually control when the sensor version is upgraded or downgraded. This will allow the Falcon
Cloud to push out sensor version changes, but only when the administrator changes the version
number in the policy. The other options will either automate the sensor version updates or turn
them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.